540 likes | 565 Views
Learn to analyze security risks using network tools and ask key questions that white/black/grey/red hat hackers consider. Explore network configuration, status, routing, and connectivity using tools like ifconfig, route, traceroute, and nslookup.
E N D
Network and System Security Risk Assessment --Network Tools
Ask yourself questions: • As a white/black/grey/red hat hacker, how would I collect information? • For example, what is the IP address range of our school?
Network Tools ifconfig traceroute arp netcat tcpdump wireshark nmap route
Ifconfig • Network configuration and status ifconfig – status of all network interfaces ifconfig eth0 – status of ethernet 0 connection ifconfig eth0 down – shuts ethernet 0 down ifconfig eth0 up – starts ethernet 0 ifconfig eth0 172.16.13.97 – assigns IP address to ethernet 0 man ifconfig – more info
ifconfig output eth1 Link encap:Ethernet HWaddr 00:0A:B7:FE:36:DB inet addr:140.211.110.121 Bcast:140.211.110.255 Mask:255.255.255.0 inet6 addr: fe80::20a:b7ff:fefe:36db/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5024 errors:1246 dropped:0 overruns:0 frame:1246 TX packets:446 errors:0 dropped:0 overruns:0 carrier:0 collisions:11 txqueuelen:1000 RX bytes:1329231 (1.2 MiB) TX bytes:45872 (44.7 KiB) Interrupt:3 Base address:0x100 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:157 errors:0 dropped:0 overruns:0 frame:0 TX packets:157 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:43623 (42.6 KiB) TX bytes:43623 (42.6 KiB)
route • Configure or report status of host's routing table route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
Route command • man route • What will happen if we “route del default”?
traceroute host_name • Determines connectivity to a remote host • Uses UDP • Options • -f set initial ttl • -F set don't frag bit • -I use echo request instead of UDP • -t set type of service • -v verbose output • What if we try ping 192.168.137.1 –m 1 • And ping fbbs.ustc.edu.cn –m 1
traceroute Example traceroute www.f-prot.com 1 BBCisco-91.sou.edu (140.211.91.1) 0.654 ms 0.544 ms 0.504 ms 2 scrubber.sou.edu (140.211.102.34) 0.416 ms 0.386 ms 0.522 ms 3 sou-pop.nero.net (140.211.4.1) 1.638 ms 1.598 ms 1.561 ms 4 corv-car2-gw.nero.net (140.211.1.25) 15.474 ms 24.891 ms corv-car2-gw.nero.net (140.211.0.185) 22.227 ms 5 corv-car1-gw.nero.net (207.98.64.193) 20.046 ms 20.204 ms 21.661 ms 6 ptld-core1-gw.nero.net (207.98.64.21) 21.631 ms 18.890 ms 31.521 ms 7 ptld-core2-gw.nero.net (207.98.64.177) 18.932 ms 28.446 ms 23.135 ms 8 ptck-core1-gw.nero.net (207.98.64.10) 19.978 ms 18.329 ms 30.266 ms 9 POS6-1.hsipaccess2.Seattle1.Level3.net (63.211.200.245) 26.382 ms 31.671 ms 21.383 ms 10 ge-4-0-1.mp1.Seattle1.level3.net (209.247.9.61) 25.033 ms 28.164 ms 28.482 ms 11 gig11-1.hsa1.Seattle1.level3.net (209.247.9.46) 19.209 ms 44.756 ms 22.834 ms 12 core1.Seattle.Teleglobe.net (209.0.227.142) 54.156 ms 62.715 ms 34.783 ms 13 if-13-0.core2.Sacramento.Teleglobe.net (64.86.83.193) 45.352 ms 50.686 ms 47.254 ms 14 if-1-0.core2.Sacramento.Teleglobe.net (64.86.83.222) 46.497 ms 62.374 ms 75.823 ms 15 if-9-0.core2.Chicago3.Teleglobe.net (64.86.83.137) 98.147 ms 98.298 ms 103.634 ms 16 if-2-0.core3.NewYork.Teleglobe.net (64.86.83.218) 97.669 ms 103.466 ms 100.087 ms 17 if-10-0.core1.NewYork.Teleglobe.net (66.110.8.133) 97.588 ms 103.310 ms 100.475 ms 18 if-5-0-0.bb6.NewYork.teleglobe.net (207.45.221.104) 179.906 ms 101.384 ms 187.031 ms 19 ix-1-0-1.bb6.NewYork.Teleglobe.net (207.45.205.114) 163.676 ms 162.706 ms 165.844 ms 20 MultiGigabit-13.backbone-hofdab1.linanet.is (62.145.129.187) 166.070 ms 164.363 ms 176.033 ms 21 gigabit-1-1.skulagata.linanet.is (213.220.64.7) 167.057 ms 180.174 ms 191.346 ms 22 customer-gigabit-1-123.skulagata.linanet.is (62.145.130.150) 171.756 ms !X * 163.602 ms !X
Tracert in Windows • tracert fbbs.ustc.edu.cn • Tracing route to fbbs.ustc.edu.cn [202.38.64.3] • over a maximum of 30 hops: • 1 <1 ms <1 ms <1 ms 192.168.0.1 • 2 2 ms 3 ms 3 ms 58.210.228.1 • 3 2 ms 2 ms 3 ms 222.92.172.53 • 4 9 ms 11 ms 7 ms 221.224.229.245 • 5 9 ms 10 ms 9 ms 202.97.27.2 • 6 12 ms 12 ms 13 ms 202.97.82.53 • 7 19 ms 11 ms 11 ms 202.97.48.254 • 8 * * * Request timed out. • 9 29 ms 29 ms 31 ms 202.127.216.201 • 10 302 ms 285 ms 285 ms szgz3.cernet.net [202.112.46.222] • 11 274 ms 279 ms 268 ms hzsh3.cernet.net [202.112.46.134] • 12 282 ms 280 ms 266 ms 210.45.224.63 • 13 278 ms 275 ms 285 ms bbs.ustc.edu.cn [202.38.64.3] • Trace complete.
nslookup • nslookup www.baidu.com • nslookup www.facebook.com • nslookup www.facebook.com 8.8.8.8
host • Forward and reverse DNS lookups host www.f-prot.com www.f-prot.com has address 213.220.100.1 www.f-prot.com has address 213.220.100.2 www.f-prot.com has address 213.220.100.3 host 213.220.100.3 3.100.220.213.in-addr.arpa domain name pointer aula.frisk-software.com.
Host • Interesting Example • host fbbs.ustc.edu.cn • host 202.38.64.3 • host www.facebook.com • host 69.63.189.16
whois • whois is to discover who owns a website or domain name by searching WHOIS database • When you register a domain name, the Internet Corporation for Assigned Names and Numbers (ICANN) requires your domain name registrar to submit your personal contact information to the WHOIS database. Then the information will be public. • whois 69.63.189.19 • whois 202.38.64.3 • whois 219.219.223.10
netstat Example • Show the status of all network connections • Shows all listening ports • netstat -s statisticnetstat -p with pid;netstat -a list all ports;netstat -at list all tcp port;netstat -au list all udp ports;netstat -l list all listening ports; netstat -lt; netstat -lu;netstat -r display routing information;netstat -i interface information;
tcpdump • Packet sniffer • Installed with Linux • Commonly used • Often used as the data file for GUI backends
tcpdump Syntax Syntax: tcpdump (options) –I (interface) –w (dump file) tcpdump –c 1000 –i eth0 –w etho.dmp
tcpdump Options -n do not convert host addresses to names -nn do not convert protocols and ports to names -i ethn listen on interface eth0, eth1, eth2 -c xx exit after xx packets -e print link level info -f file_name read packets from file file_name -v slightly verbose -vv verbose -vvv very verbose -w file_name write packets to file file_name -x write packets in hex -X write packets in hex and ASCII -S write absolute sequence and acknowledgment numbers
netcat • Read & write UDP/TCP data http://www.atstake.com/research/tools/ • Useful to test networks and performance
netcat Copies data across network connections. Uses UDP or TCP. Reliable and robust. Used directly at the command level. Can be driven by other programs and scripts. Very useful in forensic capture of a live system. Simple paradigm On the remote collecting system open a listening port. On current/compromised system pipe data to remote system. Connection is closed automatically after data transfer has completed.
netcat • nc the swiss armyknifenc -l 1234 (listen)nc localhost 1234which will establish a communication tunnel; which is convenient way to talk to each other;when combined with redirection, it can be used to transfer file:nc -l 1234 > testcat file | nc localhost 1234
netcat • echo -e "GET / HTTP/1.0\n\n" | nc localhost 80which will show the homepage with header; nc doesn't do httpsmeans it will show success with nc -vv localhost 443; but not homepage
NMAP • Nmap is the most popular scanning tool used on the Internet. • Cretead by Fyodar (http://www.insecure.org) , it was featured in the Matrix Reloaded movie.
Is Nmap the best tool? • Yes it is • Long history of development and support • Active user base, used in many products • Continuous development and improvements • “Industry Standard” port scanner • It’s free, open and well documented. • Stay current!
History of Nmap • First released September 1, 1997 in Phrack 51 “The Art of Portscanning” http://www.insecure.org/nmap/p51-11.txt • Many updates since then: • OS Detection (Phrack 54) • Idle scanning • Version scanning • ARP Scanning
nmap • nmap localhost • nmap localhost 192.168.137.221 • nmap 192.168.137.216-221 • nmap –O 192.168.137.221 • nmap –O 192.168.137.1
ARP What happens after $: ftp server?
Address Resolution Protocol: ARP and RARP • 32 bit Internet address ARP RARP • 48 bit ethernet address
ARP Protocol Flow • Machine A wants to send a packet to B, knowing only B’s IP address • Machine A broadcasts ARP request with B’s IP address • All machines on the local network receive the broadcast • Machine B replies with its physical address • Machine A adds B’s address information to its ARP table • Machine A deliver packet directly to B
ARP Protocol • Ethernet Hardware Addresses: • 48-bit unique number; what Ethernet interface card recognizes; addresses used in LAN • Ethernet Frame Format • Link-level connection among machines • Frame types: 0800 IP; 0806 ARP; 8035 RARP;
ARP example • Wireshark • With rule arp
ARP caching • To reduce communication cost, ARP maintain a cache of recently acquired IP-to-physical address bindings. • Each entry has a timer (usually 20 minutes) • Sender’s IP-to-address binding is included in every broadcast; receivers update the IP-to-physical address binding information in the cache before processing ARP packet • ARP is stateless: system will update with a reply, regardless of request
ARP • ARP –a example: • Internet Address Physical Address Type • 192.168.0.9 00-0b-cd-d3-6e-91 dynamic • 192.168.0.142 00-1e-90-be-ec-93 dynamic • 192.168.0.254 00-0b-45-f6-98-00 dynamic
ARP poisoning • Question: How would you attack given ARP cache works?
ARP Poisoning • How would you modify a target machine’s ARP cache? • If you poisoned an ARP cache, how can you use this technique to compromise the security of your victim?
ARP Cache Poisoning • Sending a forged ARP reply, a target system would send frames destined for the victim to the attacker; • There are various ways to conduct cache poisoning: broadcast, reply, gratuitous ARP message